Generalized network security policy templates for implementing similar network security policies across multiple networks
First Claim
1. A method in one or more computer systems for creating network security policies for providing network security services in a plurality of protected computer networks, each protected network incorporating a plurality of network elements, by:
- generating a generalized network security policy that defines one or more rules for conducting network security in a single network, each rule being specified relative to classes of network elements;
for each protected network, generating a network profile identifying the network elements within the protected network that are members of the classes of the generalized network security policy; and
from the generalized network security policy and the network profile for the protected network, generating a specific network security policy that defines one or more rules for conducting network security in the protected network, each rule being specified relative to network elements within the protected network.
8 Assignments
0 Petitions
Accused Products
Abstract
The present invention is directed to a facility for adapting a network security policy model for use in a particular network. The facility retrieves the network security policy model, which comprises network security rules each specified with respect to one or more aliases. Each alias represents a role in a network for one or more network elements. The facility receives, for each alias included in the network security policy model, a list of one or more network elements in the network serving the role represented by the alias. The facility replaces each alias in the network security policy model with the received list of network security devices specified for the alias to produce a network security policy adapted for use in a network.
202 Citations
16 Claims
-
1. A method in one or more computer systems for creating network security policies for providing network security services in a plurality of protected computer networks, each protected network incorporating a plurality of network elements, by:
-
generating a generalized network security policy that defines one or more rules for conducting network security in a single network, each rule being specified relative to classes of network elements;
for each protected network, generating a network profile identifying the network elements within the protected network that are members of the classes of the generalized network security policy; and
from the generalized network security policy and the network profile for the protected network, generating a specific network security policy that defines one or more rules for conducting network security in the protected network, each rule being specified relative to network elements within the protected network. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
modifying the generated generalized network security policy; and
for each protected network, from the modified generalized network security policy and the network profile for the protected network, generating a new specific network security policy that defines one or more rules for conducting network security in the protected network.
-
-
8. The method of claim 1, further comprising the steps of, for a selected protected network, supplementing the specific network security policy with an additional rule specified relative to network devices of the selected protocol network.
-
9. The method of claim 8 wherein the additional rule is specified relative to dynamic groups of network devices of the selected protected network.
-
10. The method of claim 8, further comprising:
-
modifying the generated network security policy;
from the modified network security policy and the network profile for the selected protected network, generating a new specific network security policy for the selected protected network; and
supplementing the new specific network security policy for the selected protected network with the additional rule.
-
-
11. The method of claim 1 wherein the each protected network incorporates a network security device for providing network security services in the protected network,
the method further comprising, for each protected network, using the specific network security policy generated for the protected network to configure the network security device for the network.
-
12. A computer-readable medium whose contents cause one or more computer systems to create network security policies for providing network security services in a plurality of computer networks, each network incorporating a plurality of network elements, by:
-
generating a network security policy template that defines one or more rules for conducting network security in a single network, each rule being specified relative to classes of network elements;
for each network, generating a network profile identifying the network elements within the network that are members of the classes of the network security policy template; and
from the network security policy template and the network profile for the network, generating a network security policy that defines one or more rules for conducting network security in the network, each rule being specified relative to network elements within the network. - View Dependent Claims (13)
modify the generated network security policy template; and
for each network, from the modified network security policy template and the network profile for the network, generate a new network security policy that defines one or more rules for conducting network security in the network.
-
-
14. A computer environment for developing a network security policy for a protected network, comprising:
-
a memory having a network security policy template allocation and a network profile allocation, the security policy template allocation containing a security policy template defining network security directives expressed relative to network elements having specified roles, and the network profile allocation containing a network profile identifying, for each of a plurality of the roles specified in the security policy template, one or more network elements in the protected network having the specified role; and
one or more processors that merge the network security policy template contained by the network security policy allocation with the network profile contained by the network profile allocation to produce a network security policy for the protected network. - View Dependent Claims (15, 16)
a network security device for implementing the network security policy produced by the processor.
-
-
16. The computer environment of claim 15, further comprising:
a secure communications subsystem for communicating the network security policy produced by the processor to the network security device.
Specification